From b4a96e1398a4fd7341628ebde263bc2654e3770d Mon Sep 17 00:00:00 2001 From: Roman Hergenreder Date: Sun, 1 Oct 2023 11:23:05 +0200 Subject: [PATCH] new functions --- rev_shell.py | 7 ++++ sshserver.py | 4 +-- subdomainFuzz.sh | 4 +-- template.py | 93 ++++++++++++++++++++++++++++++++++++------------ util.py | 4 +++ 5 files changed, 85 insertions(+), 27 deletions(-) diff --git a/rev_shell.py b/rev_shell.py index b82e3d1..42b352a 100755 --- a/rev_shell.py +++ b/rev_shell.py @@ -300,6 +300,13 @@ def generate_payload(type, local_address, port, index=None): def spawn_listener(port): pty.spawn(["nc", "-lvvp", str(port)]) +def spawn_background_shell(port): + listener = ShellListener("0.0.0.0", port) + listener.startBackground() + while listener.connection is None: + time.sleep(0.5) + return listener + def trigger_shell(func, port): def _wait_and_exec(): time.sleep(1.5) diff --git a/sshserver.py b/sshserver.py index f6434f0..7b50635 100644 --- a/sshserver.py +++ b/sshserver.py @@ -66,11 +66,9 @@ class SSHServer: paramiko_connection = ParamikoConnection(self) transport.start_server(server=paramiko_connection) self.transports.append(transport) - # for client_sock in self.client_sockets: except BlockingIOError: pass - # handle_client(client_socket, client_address) finally: self.listen_socket.close() @@ -81,7 +79,7 @@ class SSHServer: def close(self): if self.listen_socket: - self.listen_socket.close() + self.listen_socket.shutdown(socket.SHUT_RDWR) for sock in self.client_sockets: sock.close() diff --git a/subdomainFuzz.sh b/subdomainFuzz.sh index 6333b95..10d500d 100755 --- a/subdomainFuzz.sh +++ b/subdomainFuzz.sh @@ -32,6 +32,6 @@ charcountNonExistent=$(curl -s "${PROTOCOL}://$(uuidgen).${DOMAIN}" -k -m 5 | wc echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}" echo "[ ] Fuzzing…" -ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \ +(set -x; ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \ - -u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}" "${@:2}" + -u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}" "${@:2}") diff --git a/template.py b/template.py index 9126860..3dd38d1 100755 --- a/template.py +++ b/template.py @@ -2,26 +2,21 @@ import sys -def generateTemplate(baseUrl): - template = """#!/usr/bin/env python +def generate_template(base_url, features): -import os -import sys -import json -import time -import base64 -import requests -import subprocess -import urllib.parse -from bs4 import BeautifulSoup -from hackingscripts import util, fileserver, rev_shell + if "proxy" in features or "burp" in features: + proxy = """ + if \"proxy\" not in kwargs: + kwargs[\"proxy\"] = {\"http\":\"http://127.0.0.1:8080\", \"https\":\"http://127.0.0.1:8080\"} +""" + else: + proxy = "" -from urllib3.exceptions import InsecureRequestWarning -requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) + variables = { + "BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"' + } -BASE_URL = "%s" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337" - -def request(method, uri, **kwargs): + request_method = f"""def request(method, uri, **kwargs): if not uri.startswith("/") and uri != "": uri = "/" + uri @@ -35,24 +30,78 @@ def request(method, uri, **kwargs): if "verify" not in kwargs: kwargs["verify"] = False - + {proxy} return client.request(method, BASE_URL + uri, **kwargs) +""" + methods = [request_method] + + if "login" in features or "account" in features: + variables["USERNAME"] = '"Blindhero"' + variables["PASSWORD"] = '"test1234"' + methods.append(""" +def login(username, password): + session = requests.Session() + res = request("POST", "/login", data={"username": username, "password": password}, session=session) + if res.status_code != 200: + print("[-] Error logging in") + exit() + + return session +""") + + if "register" in features or "account" in features: + variables["USERNAME"] = '"Blindhero"' + variables["PASSWORD"] = '"test1234"' + methods.append(""" +def register(username, password): + res = request("POST", "/register", data={"username": username, "password": password}) + if res.status_code != 200: + print("[-] Error registering") + exit() + + return True +""") + + main = """ if __name__ == "__main__": pass -""" % baseUrl +""" - return template + variables = "\n".join(f"{k} = {v}" for k, v in variables.items()) + header = f"""#!/usr/bin/env python + +import os +import re +import sys +import json +import time +import base64 +import requests +import subprocess +import urllib.parse +from bs4 import BeautifulSoup +from hackingscripts import util, fileserver, rev_shell + +from urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) + +{variables} + +""" + + return header + "".join(methods) + main if __name__ == "__main__": if len(sys.argv) < 2: - print("Usage: %s " % sys.argv[0]) + print("Usage: %s [features]" % sys.argv[0]) exit() url = sys.argv[1] if "://" not in url: url = "http://" + url - template = generateTemplate(url) + features = [] if len(sys.argv) < 3 else sys.argv[2].split(",") + template = generate_template(url, features) print(template) diff --git a/util.py b/util.py index 02c784b..4e76d95 100755 --- a/util.py +++ b/util.py @@ -3,6 +3,7 @@ import random import math import socket +import base64 import itertools import netifaces as ni import string @@ -209,6 +210,9 @@ def xor(a, b): return b"".join([bytes([c1 ^ c2]) for (c1,c2) in zip(a, b) ]) +def base64urldecode(data): + return base64.urlsafe_b64decode(data + b'=' * (4 - len(data) % 4)) + def set_exif_data(payload="", _in=None, _out=None, exif_tag=None): import exif